Captive insurance companies with cyber policies could benefit from the financial backstop provided by the US Terrorism Risk Insurance Act (TRIA) programme, however, there are concerns around the wording of the programme with regard to the definition of terrorism and programme triggers.

This is according to a CICA 2018 International Conference Session, “The Risky Business of Cyber: From Traditional to Terrorism,” with speakers Prabal Lakhanpal, consultant at Spring Consulting Group, and Stephen Viña, senior vice president and senior advisory specialist, Marsh Captive Solutions.

As of December 27, 2016, cyber liability policies were confirmed to be included under TRIA and available for reimbursement from the Federal Government.

But the cyber attack must still meet the act of terrorism definition, certification and TRIA triggers to receive backstop.

One of the prerequisites in order for the event to be certified as an “act of terrorism” by the Secretary of Treasury is that it has to be committed by individual or individuals acting on behalf of any foreign person or interest, as part of an effort to coerce the US civilian population or to influence the policy to affect the conduct of US government by coercion.

Events overseas provide an example of the type of event that might trigger the programme in terms of damage. In 2014, details of a cyber attack on a German steel-mill emerged, showing that attackers had stolen logins that gave them access to the mill’s control systems, leading to parts of the plant failing and the blast furnace could not be shut down.

Viña said the US has a hard time attributing cyber attacks right now - the US government didn’t officially blame Russia for the NotPetya virus which initially targeted Ukraine until February 2018, when the ransomware was first discovered in 2016.

NotPetya was a 2017 cyber attack that began in the Ukraine and spread across the world causing serious disruptions to multiple global businesses. Viña noted the attacks spread across the world, with some losses of upwards of $300 million.

The panel suggested that placing cyber risks specifically in captives has a number of advantages, such as customisable coverage, enhanced reporting capabilities, privacy in the sense of being able to write policies that suit their needs without disclosing information to third parties; pricing and policy limits, and also the fact captives can underwrite both first and third party risks.

Lakhanpal added: “Captives provide an opportunity to not only capture that data but to help address needs, customise coverage and address unique concerns relating to organisations.”